Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[HES2013] Virtually secure, analysis to remote ...

[HES2013] Virtually secure, analysis to remote root 0day on an industry leading ssl-vpn appliance by Tal Zeltzer

Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.

Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!

Audio available here :
More information about the conference : http://2013.hackitoergosum.org/presentations/Day1-04.Virtually%20Secure,%20Analysis%20to%20Remote%20Root%200day%20on%20an%20Industry%20Leading%20SSL-VPN%20Appliance%20by%20Tal%20zeltzer.mp3
https://www.hackitoergosum.org

HackitoErgoSum

May 02, 2013
Tweet

More Decks by HackitoErgoSum

Other Decks in Research

Transcript

  1. Virtually Secure a journey from analysis to remote root 0day

    on an industry leading SSL-VPN appliance
  2. Who am I ? Tal Zeltzer Independent security researcher from

    Israel • Reverse engineering (mostly embedded systems) • C/C++ And Python development • Zerodays (Adobe Flash, PcAnywhere, EMC Networker, Windows Briefcase,…) • No formal education
  3. The research • We were interested in exploiting an old

    vulnerability on an F5 product called FirePass. • Overview (Taken from F5.com): The FirePass® SSL VPN appliance and Virtual Edition (VE) provide secure remote access to enterprise applications and data for users over any device or network. FirePass ensures easy access to applications by delivering outstanding performance, scalability, availability, policy management, and endpoint security. The result is unified security enforcement and access control that increases the agility and productivity of your workforce.
  4. Note F5 stated that a new SSL-VPN appliance is available

    and the FirePass SSL-VPN appliance is supported for legacy purposes.
  5. Advantages of using a virtual appliance vs a normal appliance

    • Runs on x86/x64. • Kernel debugging. • Software encryption.
  6. Disadvantages of using a virtual appliance vs a normal appliance

    • Incorrect analysis. • Different internal implementation. • Maintenance issues. • Can’t develop memory corruption exploits.
  7. 0day research • We can’t work with the vulnerable version.

    • We can only try and find 0days now…
  8. Attack surface (Black box) • Open ports: http, https, ssh.

    • Mostly PHP based. • This will be our main attack vector for now.
  9. The “debugStub” feature • Remote kernel debugging. • Use GDB

    to kernel debug. • Unknown kernel version.
  10. Mounting the drive in a different OS • Boot partition.

    • Hard drive encryption. • Losetup, GPG, rootkey.gpg. • Unable to mount the encrypted drives.
  11. Interacting with the boot process • Replaced losetup with a

    busybox shell. • Booted and got a shell! • Broke the decryption process.
  12. Decrypting the file-system • During the normal boot process we

    noticed a command “/lib/losetup –e …” • Decrypted the file-system.
  13. Getting a debug shell • Compiled a backdoor. • Added

    it to “init.rd”. • Rebooted and got a debug shell on our local appliance.
  14. Attack Surface (White box) • Distribution: • OpenSSL: • Apache:

    • … Slackware 7.1 (June 22, 2000) 0.9.7d (March 17, 2004) 1.3.33 (October 29, 2004)
  15. Attack Surface (White box) • Vulnerable applications. • Known vulnerabilities.

    • Unknown architecture. • Hard to write a reliable memory corruption exploit without a test box.
  16. Attack Surface (White box) • Unknown apache modules. • SSH

    is modified. • Downloaded the PHP scripts.
  17. PHP Scripts • Found several PHP code obfuscation and encryption

    solutions. • Found one of them on the appliance (“IonCube"). • Found a talk by Stefan Esser that explained the situation.
  18. Closed source PHP scripts • This solution pre-compiles and encrypts

    the PHP code. • A solution exist (Xdebug / VLD) • Since this is an old version of “IonCube” it should work.
  19. Xdebug / VLD • Hard to compile. • Dropped this

    angle for now; If everything fails we’ll go back and try it.
  20. Setting up the environment • Trying to install tools. •

    Installed GCC, SSH, and others. • Enabled mysql log • Decided to have another look at the unknown apache modules
  21. Analyzing the virtual directory • Immediately launched a browser and

    tried to access the directory. • Got a “Invalid parameters” error. • Found the tunnel-handler. • Launched a disassembler
  22. Playing with the parameters • We already have mysql log

    enabled. • While playing with the parameters we found an SQL injection vulnerability.
  23. Writing into outfile • When writing into outfile a common

    query looks like this: hello’ union select ‘data’, ‘x’ into outfile ‘/tmp/test’-- Select logon, usergroup from tblLogSessions where lower(sid) = lower(‘hello’) union select ‘data’, ‘x’ into outfile ‘/tmp/test’-- ‘)
  24. Trying to SQL inject • When sending the query string

    “aaa%20” We get “aaa%20” at the actual query • Turns out that url-encoded strings are not decoded :/
  25. Trying to SQL inject • When sending the query string

    “aaa%20aaa” We get “aaa 0x1.d42…” at the actual query. • We got a format string vulnerability at the same argument! (Disassembly confirmed)
  26. The format string • Just to be sure, let’s send

    the query string “%08x--%08x--%08x…” • That’s nice but we already have a logical vulnerability; I want a universal exploit!
  27. Trying to SQL inject • Turns out that the apache

    module doesn’t escape the url-encoded query string. • Can’t write characters such as space • How can we write a valid query?
  28. Trying to SQL inject • Block comments? • A query

    like “Or/**/1=1/**/)” worked! • What about the rest of the query? • -- doesn’t seem to work without a trailing space hello’/**/union/**/select/**/‘data’,/**/‘x’/**/into/**/outfile/**/ ‘/tmp/test’--
  29. Trying to SQL inject • Documentation confirmed “--” has to

    have a trailing space • Format string you say? Spaces you say? What about %20d ? • Got our valid terminator! hello’/**/union/**/select/**/‘data’,/**/‘x’/**/into/**/outfile/**/ ‘/tmp/test’--%20d
  30. Mysql 3.23 • No union selects. • No nested queries.

    • Can’t do a join because we’re at the while condition. • Can write into outfile, but since there’s no union we do not control the data that gets written. hello‘/**/or/**/ (‘1’=‘1’)/**/into/**/outfile/**/’/tmp/test’/**/--%20d
  31. The table we write into outfile • tblLogSessions; Contains session

    info. • Updated when we login successfully. • Can’t poison it because we can’t login.
  32. Really getting mad • Read documentation. • Read some source

    code. • Asked anyone I know. • And then!
  33. Writing into outfile! • Can write arbitrary data into the

    file. • What about ‘<?php $mycode ?>’. hello‘/**/or/**/(‘1’=‘1’)/**/into/**/outfile/**/’/tmp/test’/**/ fields/**/seperated/**/by/**/0x603c3f706870…3f3e /**/--%20d
  34. Minor down-side • This attack will only work if a

    user or an administrator has ever logged in to the server • I’m guessing it’s not much to ask in a production environment (Initial server configuration applies as a login)
  35. Got root ? • Rootkit the appliance. • Sniff traffic.

    (tcpdump is available) • Man-in-the-middle VPN clients • Extract certificates • Create our own user and join the network
  36. Attacking VPN Clients • Replace existing PHP scripts (can’t edit

    them..) • If ActiveX installation fails we get a “please download and install this client” message. • New client anyone?
  37. F5 – Vulnerability response win • From all my vulnerability

    disclosures F5 impressed me the most. • Their response was quick and professional. • The patch came soon after. • F5 wants to work with all researchers. Contact them at [email protected].
  38. The real PHP encryption • Turns out the “IonCube” module

    is just for PHP acceleration. • The encryption is RC4 implemented at the PHP “lexer” level.
  39. Thanks to the EFF • Many many thanks to the

    EFF and marcia hofmann for their legal consulting and help.
  40. Greets and Thanks • Mati aharoni (Aka muts) – Configuring

    linux and highlighting some critical points • Oran avraham – Ninja, helping me out with linux stuff and solving huge problems in seconds • Igor Rayak, Shai Priel, UY, Yuval Ofir, m0she, Gil Dabah, Assaf Nativ